How to find and obtain the SecretURL for disk_encryption_key block for resource "azurerm_managed_disk" in terraform

Setting up SecretURL for disk_encryption_key block for resource "azurerm_managed_disk" using terraform

The Blocker you mentioned is due to use of depreciating encryption_settings inside disk configuration.

In order to use the Secret URL for disk_encryption_key block you need to use the azurerm_disk_encryption_set to pass the encryption key from the vault & also the vault should have all necessary permissions.

I tried the terraform configuration with the necessary changes so that you can use the key and secret from the vault.

My terraform configuration:

provider "azurerm" {
  features {}
}

variable "disk_encryption_key_vault_name" {
  default = "samvksbbb"
}

variable "disk_encryption_key_rg" {
  default = "vkk-resources"
}

variable "disk_encryption_key_name" {
  default = "samplekey"
}

variable "disk_encryption_secret_name" {
  default = "samplesecret"
}

variable "data_disk_count" {
  default = 1
}

variable "vm_name" {
  default = "samplevmvk"
}

variable "location" {
  default = "westus2"
}

variable "resource_group_name" {
  default = "vkk-resources"
}

variable "data_disk_storage_account_type" {
  default = "Standard_LRS"
}

variable "data_disk_size_gb" {
  default = 1024
}

variable "tags" {
  default = {
    Environment = "Production"
  }
}

data "azurerm_resource_group" "example" {
  name = var.resource_group_name
}


data "azurerm_key_vault" "kv" {
  name                = var.disk_encryption_key_vault_name
  resource_group_name = var.disk_encryption_key_rg
}


data "azurerm_key_vault_key" "encryption_kv_key" {
  name         = var.disk_encryption_key_name
  key_vault_id = data.azurerm_key_vault.kv.id
}


data "azurerm_key_vault_secret" "encryption_secret" {
  name         = var.disk_encryption_secret_name
  key_vault_id = data.azurerm_key_vault.kv.id
}

resource "azurerm_disk_encryption_set" "example" {
      name                = "encryptionset"
      resource_group_name = data.azurerm_resource_group.example.name
      location            = data.azurerm_resource_group.example.location
      key_vault_key_id    = data.azurerm_key_vault_key.encryption_kv_key.id
      encryption_type = "EncryptionAtRestWithCustomerKey"
    
      identity {
        type = "SystemAssigned"
      }
}


# Resource block to create a Managed Disk with encryption settings
resource "azurerm_managed_disk" "data" {
  count                = var.data_disk_count
  name                 = "${var.vm_name}-DataDiskq-${count.index + 1}"
  location             = var.location
  resource_group_name  = var.resource_group_name
  storage_account_type = var.data_disk_storage_account_type
  create_option        = "Empty"
  disk_size_gb         = var.data_disk_size_gb
  tags                 = var.tags
  disk_encryption_set_id = azurerm_disk_encryption_set.example.id

}

Deployment succeeded:

Make sure you add permission for managed identity created
in azurerm_disk_encryption_set follow the SO

key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]

which will help you have better understanding on that permission & also Location of vault and disk should match.

Refer:

Azure portal – Enable customer-managed keys with SSE – managed disks – Azure Virtual Machines | Microsoft Learn